Current Security Threats in Crypto and How to Mitigate Them

Author:
Current Security Threats in Crypto and How to Mitigate Them
Share

With the advent of cryptocurrencies came new opportunities and new threats. We are now able to serve as our own banks, yet may be unprepared to handle security threats evolving in the digital banking space. Similar to banks and financial services firms that are constantly enhancing their security measures, we need to keep up with the latest developments in the digital security space to avoid falling victims to accidents and digital thievery. Here are the most common threats and pointers on how to mitigate them.

https://cdn-images-1.medium.com/max/800/0*R2vujRpbec8qL-VS.jpg

Malware

Malware or malicious software is a blanket term for any kind of program or code that can be harmful for your systems. Most online threats are some form of malware, seeking to make money off you illicitly. Although malware does not really damage the physical hardware of systems or network equipment, it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.¹

How to avoid malware?

First of all, it is important to install antivirus program on your devices. This will help detect and remove potential malware threats that aim to steal your private keys or hijack your devices to mine cryptocurrencies. Secondly, avoid clicking and opening shady looking websites and emails. Ignore random pop-ups and do not download anything from unfamiliar providers at all costs.

Research Warns ‘Familiar’ Monero Mining Malware Is Infecting Windows Systems
A new hacking tool is propagating throughout the online community in an attempt to install cryptocurrency mining…cointelegraph.com

Phishing

Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data, such as personally identifiable information, banking and credit card details, as well as passwords. The information is then used to access important accounts and can result in identity theft and financial losses.²

How to avoid phishing?

It is close to impossible to avoid interaction with phishing emails, simply because spam filters have flaws. Oftentimes, we have to deep dive into the trash can that is the spam filter folder, to look for legitimate emails that should have arrived without any issues to the inbox. When opening emails that come from sources that are not white-listed, rollover the mouse over the links within the email to see where they will take you.

https://metamask.io/phishing.html

Legitimate websites should have SSL certificates. Ensure that the link has HTTPS at the beginning of the URL. Also, look for misspelled words within the hyperlink.

“I usually recommend that people use MetaMask, which is very good at spotting phishing sites, even though it is not its main purpose.” 

— MisterCh0c

Common sense should be your first line of defense. Phishing attempts usually appeal to fear that you do not take immediate action and greed, forcing you to seize that “once in a lifetime opportunity.” If it sounds too good to be true, it probably is. Be skeptical of everything that comes into your inbox.

22 Social Engineering Red Flags

SMS 2FA

In the last few years, Two-Factor Authentication (2FA), which used to be mainly used by geeks, has become popular security measure in the mainstream. Two-factor identification involves the use of two independent mechanisms to verify users’ claimed identities. An SMS (text message) with the access code is sent to a user’s mobile phone after login to ensure that account access is protected. However, it turns out that this is not the most secure option. In most countries, it is very easy to port a phone – someone else could claim your phone number and divert every call or SMS to a new device, change your password, and get access to your accounts. SMS messages with passwords can be intercepted. SIM cards can be removed and installed in another device, giving access to SMS messages with passwords. Others can sneak a peek at passwords sent by SMS.

How to avoid SMS 2FA limitations?

Opt out of using SMS 2FA and instead go with a software authenticator, such as Google Authenticator or Authy. Although hardware tokens and push notifications through app are even safer options, they are not always available.

Banks Keep Using SMS Two Factor Authentication But It Sucks
A number of banks in Europe, including the Metro Bank in the UK, have fallen victim to an attack dubbed SS7. SS7 is a…www.lifehacker.com.au

Juice Jacking

Irrespective of the kind of devices you use, the power supply and the data stream pass over the same cable, turning you into an easy target of cybercrime. Juice jacking is a term used to describe a cyberattack, resulting from a malicious user gaining access to your phone during the charging process via USB to illegitimately access your phone’s data and/or inject malicious code into your device.

How to avoid juice jacking?

PortaPow 3rd Gen Data Blocker

Avoid plugging USB devices or cables of shady precedence in your laptop or mobile phone. They may be hosting malware or spyware with a keystroke logger, which can compromise your digital assets. The best way to avoid juice jacking on your mobile is by carrying a personal battery backup for charging when necessary.

You can also wear a USB condom on your power cable, which will allow electricity to flow through while preventing data from being accessed or transferred.

— TheCrypt0Mask

Eye On Cyber: Beware Of Juice Jacking At Public Charging Stations
NEW YORK (CBSNewYork) – You’re waiting at the airport for a plane and notice your phone is low on power. You spot a…newyork.cbslocal.com

Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec
Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists…hackaday.com

Data Snooping over VPN

A Virtual Private Network (VPN), allows you to create a secure connection to another network over the Internet. VPNs can be used to access region-restricted websites or shield your browsing activity from prying eyes on public Wi-Fi. Trustworthiness of VPN companies has been put to doubt, due to latest reports on data snooping over VPN by the internet service providers (ISPs).

How to avoid data snooping over VPN?

If you have the technical knowledge, you could build your own VPN. But if you do not have the technical skills needed to create your own VPN, you could use the Tor browser, which enables anonymous communication, but may result in sub-par speeds and user experience (UX). It is good to know that there are some VPN solutions, such as Sentinel (beta phase) and Orchid (under development), which could become de facto VPN solutions for the industry. Similarly, Tor R&D is expected to catch up with the current market needs.

Do You Trust Your VPN? Are You Sure?
How Big of a Deal Is It That the U.S. Shut Off the Russia Troll Farm’s Internet Access? Why Are We So Afraid of Each…slate.com

Passwords Manager Vulnerabilities

Password managers assist in generating, retrieving and keeping track of complex passwords across multiple accounts for you, potentially storing such passwords in an encrypted database or calculating them on demand.⁶ Unfortunately, password managers are vulnerable to hacking due to flaws in their code, as recently reported throughout mass media.

How to avoid password manager’s vulnerabilities?

If you are an avid password manager user, you might find that Trezor has an amazing hardware password manager: passwords are individually locked with the Trezor Password Manager, using your digital keys. Secrets are released one by one and only after your physical confirmation on your Trezor.

Review | Password managers have a security flaw. But you should still use one.
A new study has identified security flaws in five of the most popular password managers. Now for some counterintuitive…www.washingtonpost.com

Hardware Wallet Vulnerabilities

A hardware wallet is a special type of a cryptocurrency wallet, which stores its user’s private keys in a secure hardware device. Recently uncovered vulnerabilities in hardware wallets are unlikely to be critical. After all, in order to succeed in hijacking your digital assets, there should be physical access to your device to install bogus firmware to acquire the PIN, then hack into your computer, and wait until the PIN is introduced.

How to avoid hardware wallet vulnerabilities?

Hardware wallets have very few vulnerabilities that we should be worried about, but here are a few recommendations. Buy directly from hardware wallet manufacturers. You should try to avoid re-sellers, who might be tempted to tamper with devices. There have been cases, when hardware wallets are delivered with the passphrase already generated. You need to always make sure that the address where you are sending cryptocurrencies is the same as prompted on your hardware wallet. If it is different, you may be subject to a MIM (Man in the Middle attack). Never leave your hardware wallet unattended or exposed to a third party access, allowing it to be updated with unwanted firmware. Keep your passphrase recovery in a different place than your hardware wallet –  not in digital form, but on paper, or even better on Titanium – and store it somewhere only you have access to, i.e. a safe

Text by Panama Crypto


[1] https://www.malwarebytes.com/malware/#what-is-malware

[2] http://www.phishing.org/what-is-phishing

[3] https://www.techopedia.com/definition/10286/keystroke-logger

[4]https://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/

[5] https://www.howtogeek.com/133680/htg-explains-what-is-a-vpn/

[6] https://en.wikipedia.org/wiki/Password_manager

[7] https://en.bitcoin.it/wiki/Hardware_wallet


Many thanks to TheCrypt0Mask, MisterCh0c, and AndrePreoteasa for helping put together the above list of recommendations and peer reviewing this piece.